IoT Working Group Crafts Framework For Security, Privacy

Microsoft, Symantec, Target, home security system vendor ADT and others team up and issue security recommendations for some consumer Internet of Things things -- but embedded firmware remains a wildcard.

An industry working group that includes members from Microsoft, Symantec, Target, and home security system vendor ADT today issued draft recommendations for locking down the privacy and security of home automation and consumer health and fitness wearable devices with security practices such as unique passwords, end-to-end encryption of sensitive and personal information, and a coordinated patching and update mechanism, as well as other measures.

The Online Trust Alliance (OTA) Internet of Things Working Group hopes that IoT manufacturers, developers, and retailers will adopt the proposed guidelines, and is asking for industry input.

But the catch is that the embedded firmware in many IoT devices is not necessarily patchable, nor does the consumer device manufacturer necessarily have control or say over the security of the firmware it embeds in its products.

And as demonstrated in the recent hacking of the Jeep Cherokee where researchers were able to control the vehicle's steering, braking, and other features, the supply chain can be the weakest link. In the Fiat Chrysler case, it was a vulnerable communications port that was left wide open in the Harman uConnect infotainment system installed in the vehicles: cellular provider Sprint subsequently shut down the 6667 port, which the researchers used to access the Jeep's controls.

"It is a supply chain issue. If you look at the device, you are getting off-the-shelf firmware. How can you update it? Can you?" says Craig Spiezle, executive director and president of OTA, says of home automation and consumer wearable devices. "Embedded firmware is a concern--we highlighted this [in the framework]. We're aren't quite sure how best to do this: if that firmware can't be upgraded without a service technician coming out [to do it, for example] … How is that handled over time?"

The framework calls for IoT makers to have the ability to fix bugs quickly and reliably via remote updates or other notifications to consumers -- or even device replacement, if needed. And that item comes with this caveat: "It is recognized that some embedded devices' current design may not have this capability and it is recommended such update/upgradability capabilities be clarified to the consumer in advance of purchase."

Time is another factor with IoT devices. Networked thermostats, garage-door openers, and other in-home devices change hands when the house does, but the former residents could still have access. And what happens after a warranty expires on smart device and there's a breach, Spiezle says.

"We talk about not just security, privacy, and disclosure of the data that's collected, but also the lifecycle issues. How do they support [these devices] over time and beyond the warranty," he says.

The working group plans to finalize a formal IoT framework -- which includes some 22 minimum requirements plus a dozen optional additional measures -- and program around mid-November, after gathering input from Congress, the White House, Federal Trade Commission, and other entities.

Brian Knopf, an IoT security expert, says when he worked at Belkin, dealing with vulnerabilities in OEM'ed chipsets and firmware for its products was a big challenge. "We were not able to get access to their [the OEM's] code" if there was a bug discovery in the Belkin device, he says. "We were under NDA" due to their supplier relationship, he says.

That was problematic because an SDK from the chipset manufacturer often gets shipped with manufacturer backdoors and command-line interfaces, for instance, left there purposely, according to Knopf, a speaker last week at the first-ever IoT Village at DEF CON 23, and the former principal security advisor and researcher at Wink Inc.

But IoT vendors can avoid these issues at the get-go, says Nicholas Percoco, vice president of global services at Rapid7. "One approach they can take is get a bunch of OEM components, slap them together and sell it," he says.

A better approach would be to spell out the vulnerability issue with a firmware supplier in advance, Percoco says. "How do we get updates, what SLA [service level agreements] are for getting updates."

But the reality is that consumer IoT devices such as baby monitors come with very old versions of the Linux kernel and Open SSL, for example, Percoco says. "Is that poor systems development or being negligent? How hard is it to get the latest version of OpenSSL?"

Building Security Into IoT

IoT security isn't all about patching, however. The IoT software and firmware suppliers can take a page from the book of other applications, namely Windows-based ones, for example, and incorporate attack mitigation techniques such as Address Space Layout Randomization (ASLR), says Jacob Holcomb, senior security analyst with Independent Security Evaluators and one of the organizers of the DEF CON IoT Village.

Holcomb suggests adding ASLR or other protections such as inserting so-called canary values, which would protect the firmware form overflow attacks. "The overflow would terminate before it was exploited," he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

I'm concerned about the "security, privacy, and disclosure of the data that's collected." We know that a large volume of very sensitive IoT data that is already collected and stored in Big Data environments, or shared with cloud-based services. Some good guidance can be found in recent reports from Gartner.

Gartner also released the report "Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data" in June 2015 that highlighted key challenges as "cloud increases the risks of noncompliance through unapproved access and data breach." The report recommended CIOs and CISOs to address data residency and compliance issues by "applying encryption or tokenization," and to also "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys."

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.